On TaoBao, the Chinese version of eBay, you can rent a significant other for a family reunion or buy a live scorpion. But perhaps the most questionable thing you can purchase is a botfarm in a box: a jailbroken iPhone 4 loaded with software that lets a buyer easily create multiple fake accounts on social networking and dating sites.
We live in the mobile age, with more and more of our favorite services accessible primarily or only from smartphones. And so, to match our online behavior, spammers have had to go mobile as well. The jailbroken iPhone's software includes GPS-spoofing as a feature so that fake users can appear to be anywhere in the world. So a botmaster based in China could theoretically make one of his Tinder-like bots appear to be in the same bar as you. You'd swipe right expecting a hook-up and instead your hottie would start telling you about how she's playing a cool, new mobile game on her phone.
This is the botfarm seller's pitch on TaoBao, translated from Chinese by Fusion's Isabelle Niu:
Register, greet strangers and make money. It not only allows you to register new accounts so you can sell them, but also so that you can use them to make money. It includes 30 random combinations, automatic messaging, automatic login, continuous search for users nearby. Yes, that’s exactly what it is!"
The TaoBao seller, who didn't accept our friend request on Chinese messaging platform QQ, has nearly 400 jailbroken iPhones on offer, and hundreds of positive reviews. The spam-spawning iPhones range in price from 4,500 yuan, or roughly $700, if you want easy mass registration of accounts and GPS-faking capabilities, to as low as 500 yuan, or $79, for a phone that just generates fake locations.
A charge of $700 seems outrageous for a used iPhone, but the seller breaks down the math of the bot business, explaining how much you can make selling the services of your bots:
Right now one account on the popular dating app Momo sells at 10 yuan. It takes about 5 minutes to register one using my software. So in the course of one day, you will be able to register 288 accounts and own products that are worth 2,880 yuan. How much do you spend on buying accounts each month? The price I'm charging isn't just for the device but also for the technology and skills.
Momo works like Tinder. The apps mentioned in the iPhone-fake ad are all social, location-based discovery tools with mobile-focused services. Named explicitly in the ad are WeChat, the Facebook of China; iAround and Moca, which are similar to Tinder; Bilin, which allows you to audio chat users nearby and iWeju, the meetup.com for dating.
The software could theoretically be used to create fake accounts of any kind. But the most valuable to hucksters, at least according to the seller, are fembots. The ad is full of screenshots of bots with images of attractive young girls for avatars.
Sorry, guys, but you're seen as the most gullible targets. Botmakers usually opt for "young females" when creating bots that can automatically login, know when other users are nearby and message them. It's what sells. The cheating site Ashley Madison was reportedly overrun by company-programmed fembots whose mission was to entice men to buy chat credits. Tinder also has a girl bot problem. Once a guy (or gal) 'matches' with a fembot, it tries to get you to click on an ad, sell you an online game, or simply dupe you into downloading malware.
Nuking bots has been a Sisyphean task for web companies for years. Twitter can't seem to get rid of them. Facebook has a whole team of people devoted to bot detection, but spam still crops up from time to time. In December, Instagram scrubbed millions of fake accounts from its community. Still, there's a whole underground economy based on faux content, reviews, and users.
Basic bots that all come from the same IP address are easy to detect and kill, so bot-herders have had to up their game, and make their fake users look more convincing, by for example, making it look like they're coming from an iPhone.
The problem for the botmakers is that mimicking the behavior of mobile users is more difficult, says Fang Yu, the cofounder of security startup Datavisor. It's easier to build bots that interact through a browser than one that interacts through an app.
"There are a lot of tools an attacker can use to record the traffic from the browser and reverse engineer the web application," she said. "Phone traffic follows a different pattern." Each app can have a customized way to encrypt traffic, so it makes the job more difficult.
Some spamlords have turned to Android-emulators that make it look like traffic is coming from an Android device. These emulators can "run" apps and make it look like a user is on a phone. But Fang Yu says there aren't any good iPhone-emulators on the black market because, unlike the open-source Android operating system, Apple tightly controls who can tweak iOS, so it's more difficult to create a fake version. So if a botmaker wants to infiltrate a popular, mobile-only iOS app, he needs a jailbroken iPhone.
"Hardware-based solutions are relatively rare," says Yu, who pointed out the ad to Fusion. "It raises the cost."
But where users go, spammers will follow, even if it's expensive.
Daniela Hernandez is a senior writer at Fusion. She likes science, robots, pugs, and coffee.
Isabelle Niu is a digital video producer at Fusion.